Feb 25, 2016
Multilinear Maps and Obfuscation A Survey of Recent Results
Shai Halevi IBM ResearchPKC 2014Multilinear Maps and ObfuscationA Survey of Recent Results1. Magnificent Maginot line2. This doesnt mean that fortification technology is useless3. Lack of response may indicate that our tools/skills are not useful to solve these problems?3a. If so, we may witness drop in funding3b. We may be good at articulating notions of robustness
1PrologueWe are in the midst of (yet another) quantum leap in our cryptographic capabilitiesThings that were science fiction just two years ago are now plausibleGeneral-purpose functional encryptionCrypto-strength code obfuscationFueled by new powerful building blocksCombination of Homomorphic Encryption (HE) and Cryptographic Multilinear Maps (MMAPs)This TalkOverview of the main new toolConstructing MMAPs using HE techniques
And application to obfuscation
There are many othersWitness EncryptionFull-Domain HashFunctional Encryption
not todayChapter One: Multilinear Maps
Starting Point: DL-based Crypto
Starting Point: DL-based CryptoTo use DH in applications, ensure that:legitimate parties only compute linear functionsadversary needs to compute/check quadratics
Some examples:Diffie-Hellman key exchange, ElGamal Encryption, Cramer-Shoup CCA-Secure Encryption,Naor-Reingold PRF, Efficient ZKPs,
Beyond DDH: Bilinear Maps[J00,SOK00,BF01]In bilinear-map groups you can compute quadratic functions in the exponentBut computing/checking cubics is hardNow the legitimate parties can do a lot moreLeads to new capabilitiesIdentity-based encryption (IBE)Predicate encryption (for simple predicates)Efficient non-interactive zero-knowledge proofs
[J00] Joux, [SOK00] Sakai, Ohgishi, Kasahara, [BF01] Boneh, Franklin7Why Stop at Two?
The [GGH13] Approach to MMAPs
MMAPs vs. SWHEMMAPsSWHEMain Ingredient: Testing for Zero
Bird-Eye View of [GGH13]
[GGH13] Garg, Gentry, Halevi Eurocrypt 2013, [CLT13] Coron, Lepoint, Tibouchi, CRYPTO 201312Graded Encoding SchemesGraded Encoding SchemesSome VariantsHardness Assumptions
Pass, Sethy, Telang16A Few Words About PerformanceTake-Home from Chapter One
Chapter Two: Obfuscation
Code ObfuscationEncrypting programs, maintaining functionalityOnly the functionality should be visible in the outputExample of recreational obfuscation:
-- Wikipedia, accessed Oct-2013
Rigorous treatment [Hada00, BGIRSVY01,]@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&}%p;$_=$d[$q];sleep rand(2)if/\S/;printBarak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang, On the (im)possibility of obfuscating programs20Why Obfuscation?Hiding secrets in software
AES encryption
strutpatent.comPlaintextCiphertextWhy Obfuscation?Hiding secrets in software
AES encryption Public-key encryptionPlaintextCiphertext@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&}%p;$_=$d[$q];sleep rand(2)if/\S/;printWhy Obfuscation?Hiding secrets in software
Distributing software patchesVulnerableprogramPatchedprogram1,2d0 < The Way that can be told of is not the eternal Way; < The name that can be named is not the eternal name4c2,3 < The Named is the mother of all things. --- > The named is the mother of all things. 11a11,13 > They both may be called deep and profound. > Deeper and more profound, > The door of all subtleties!Why Obfuscation?Hiding secrets in software
Distributing software patcheswhile hiding vulnerabilityVulnerableprogramPatchedprogram@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&}%p;$_=$d[$q];sleep rand(2)if/\S/;printWhy Obfuscation?Hiding secrets in software
Uploading my expertise to the webNextmove
http://www.arco-iris.com/George/images/game_of_go.jpgGame of GoWhy Obfuscation?Hiding secrets in software
Uploading my expertise to the webwithout revealing my strategiesNextmove@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&}%p;$_=$d[$q];sleep rand(2)if/\S/;print
Game of GoDefining ObfuscationWant the output to reveal only functionalityE.g., If prog. depends on secrets that are not readily apparent in I/O, then the encrypted program does not reveal these secrets
[B+01] show that this is impossible in generalThm: If secure encryption exists, then there are secure encryption schemes for which it is possible to recover the secret key from any program that encrypts.Such encryption schemes are unobfuscatableDefining ObfuscationOkay, some function are bad, but can we do as well as possible on every given function?
[B+01] suggested the weaker notion of indistinguishability obfuscation (iO)Gives the best-possible guarantee [GR07]It turns out to suffice for many applications (examples in [GGH+13, SW13,])[GR07] Goldwasser, Rothblum, On best-possible obfuscation[SW13] Sahai, Waters, How to Use Indistinguishability Obfuscation: Deniable Encryption, and More28Defining Obfuscation [B+01]Obfuscation vs. HESomewhat reminiscent of MMAPs vs. HEFObfuscationFFEncryptionFx+F(x)Result in the clearx+F(x)xorResult encryptedObfuscation from MMAPs, 1st Try1st Try Does Not WorkAttack: comparing intermediate valuesChecking if two intermediate wires carry same valueChecking if the computation on two different inputs yield the same value on some intermediate wireIf two equal intermediate values ever happen, they can be recognized using zero-test
Must randomize all intermediate values in all the computationsBut such that the final result can still be recognizedConstruction OutlineDescribe Circuits as Branching Programs (BPs) using Barringtons theorem [B86]
Randomized BPs (RBPs) a-la-Kilian [K88]Additional randomization to counter simple relations
Encode RBPs in the exponent using MMAPsUse zero-test to get the output
This allows obfuscating shallow circuits (NC1)Another transformation (using FHE) to get all circuits(Oblivious) Branching ProgramsA specific way of describing a functionThis length-9 BP has 4-bit inputsA2,0A1,0A3,0A5,0A4,0A6,0A7,0A8,0A9,0A2,1A1,1A3,1A5,1A4,1A6,1A7,1A8,1A9,1 0(Oblivious) Branching ProgramsA specific way of describing a functionThis length-9 BP has 4-bit inputsA2,0A1,0A3,0A5,0A4,0A6,0A7,0A8,0A9,0A2,1A1,1A3,1A5,1A4,1A6,1A7,1A8,1A9,1 01(Oblivious) Branching ProgramsA2,0A1,0A3,0A5,0A4,0A6,0A7,0A8,0A9,0A2,1A1,1A3,1A5,1A4,1A6,1A7,1A8,1A9,1 0110(Oblivious) Branching ProgramsKilians Randomized BPsA2,0A1,0A3,0A5,0A4,0A6,0A2,1A1,1A3,1A5,1A4,1A6,1B1,0B2,0B3,0B4,0B5,0B6,0B1,1B2,1B3,1B4,1B5,1B6,1Kilians Randomized BPsA2,0A1,0A3,0A5,0A4,0A6,0A2,1A1,1A3,1A5,1A4,1A6,1B1,0B2,0B3,0B4,0B5,0B6,0B1,1B2,1B3,1B4,1B5,1B6,1Kilians ProtocolBP-Obfuscation?Partial Evaluation AttacksMixed Input AttackB2,0B4,1Countering Simple RelationsAdditional randomization stepsDifferent works use slightly different forms of additional randomizationMultiplicative bundling [GGHRHS13, BR13]Straddling [BGKPS13, PTS14]Abelian component [CV13]Can conjecture [GGHRHS13, BR13] or prove [BGKPS13, CV13, PTS14] that no simple relations existCompleting the constructionSecurity of ObfuscationA Word About PerformanceTake-Home from Chapter TwoWe can obfuscate a computation by:Randomizing the internal valuesPutting the randomized values in the exponent and computing on them using MMAPs
Future DirectionsWe only have two MMAPs candidates, and just one approach for using them in obfuscationHard to develop a theory from so few sample pointsWe need better formal notions of obfuscationCurrent notions (such as iO) do not capture our intuition, not even for what the current constructions achieveFaster constructionsComplexity of current constructions is scaryApplicationsAlready have a bunch, the sky is the limitThank You
Questions?Witness Encryption [GGSW13]A truly keyless encryptionCan encrypt relative to any arbitrary riddleDefined here relative to exact-cover (XC)XC is NP-complete, so we can translate any riddle to it
Garg, Gentry, Sahai, Waters, STOC 201350Recall Exact Cover12345{1,2,3}{2,4,5}{1,4}{2,3,5}Witness EncryptionMessage encrypted wrt to XC instanceEncryptor need not know a solutionOr even if a solution existsAnyone with a solution can decryptSecrecy ensured if no solution exists12345{1,2,3}{2,4,5}{1,4}{2,3,5}12345{1,2,3}{2,4,5}{1,4}{2,3,4,5}DecryptableSecretWitness Encryption Using MMAPs12345{1,2,3}{2,4,5}{1,4}{2,3,5}Witness Encryption Using MMAPsSecurity of Witness Encryption*